From d8ae939d79379250147bc138b19bc0715814fdc6 Mon Sep 17 00:00:00 2001
From: Hidde Beydals <hidde@hhh.computer>
Date: Fri, 29 May 2026 22:11:17 +0200
Subject: [PATCH] Wire SSH signing into bootstrap git

Reads --ssh-signing-key-file when set, decodes the file contents,
resolves the effective signing passphrase, and appends
bootstrap.WithSSHCommitSigning to the bootstrap options. When
--ssh-signing-reuse-private-key is set, reads the transport
--private-key-file, pre-flights it against the subcommand-local
gitArgs.password, and reuses the same bytes + passphrase for signing.

The reuse-path pre-flight lives in this subcommand's RunE because
bootstrapValidate does not have access to the transport password.
Mutual exclusion with --gpg-* and explicit-path key-parse validation
are enforced upstream in bootstrapValidate.

Signed-off-by: Hidde Beydals <hidde@hhh.computer>
---
 cmd/flux/bootstrap_git.go | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/cmd/flux/bootstrap_git.go b/cmd/flux/bootstrap_git.go
index 494e1fd3..e694d773 100644
--- a/cmd/flux/bootstrap_git.go
+++ b/cmd/flux/bootstrap_git.go
@@ -30,6 +30,7 @@ import (
 
 	"github.com/fluxcd/pkg/git"
 	"github.com/fluxcd/pkg/git/gogit"
+	"github.com/fluxcd/pkg/git/signature"
 
 	"github.com/fluxcd/flux2/v2/internal/flags"
 	"github.com/fluxcd/flux2/v2/internal/utils"
@@ -315,6 +316,33 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 		bootstrap.WithGitCommitSigning(entityList, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID),
 	}
 
+	if bootstrapArgs.sshSigningKeyFile != "" {
+		pemBytes, err := os.ReadFile(bootstrapArgs.sshSigningKeyFile)
+		if err != nil {
+			return fmt.Errorf("failed to read SSH signing key file: %w", err)
+		}
+		pwd, err := effectiveSshSigningPassword()
+		if err != nil {
+			return err
+		}
+		bootstrapOpts = append(bootstrapOpts,
+			bootstrap.WithSSHCommitSigning(pemBytes, []byte(pwd)))
+	}
+
+	if bootstrapArgs.sshSigningReusePrivateKey {
+		pemBytes, err := os.ReadFile(bootstrapArgs.privateKeyFile)
+		if err != nil {
+			return fmt.Errorf("failed to read transport private key for signing: %w", err)
+		}
+		// Reuse-path pre-flight: bootstrapValidate cannot run this check
+		// because the SSH transport password is subcommand-local.
+		if _, err := signature.NewSSHSigner(pemBytes, []byte(gitArgs.password)); err != nil {
+			return fmt.Errorf("invalid signing key (reused from --private-key-file): %w", err)
+		}
+		bootstrapOpts = append(bootstrapOpts,
+			bootstrap.WithSSHCommitSigning(pemBytes, []byte(gitArgs.password)))
+	}
+
 	// Setup bootstrapper with constructed configs
 	b, err := bootstrap.NewPlainGitProvider(gitClient, kubeClient, bootstrapOpts...)
 	if err != nil {